The EU Cookie Law – Don’t Panic Captain Mainwaring!

You may or may not be aware that the ICO (Information Commissioner’s Office) have an EU-mandate “Cookie Law” which comes into force on Sunday May 27th

The law applies to any website in the EU that uses cookies and/or similar technologies for storing information on the end users equipment (computer or mobile device) when visiting said website.

Don’t panic Captain Mainwaring, we’ll tell you everything you need to know and how you go about becoming compliant to avoid the wrath of the ICO.

What is a Cookie?

Well apart from the obvious biscuit based answer and without getting into too much technical jargon they are small files which are placed on a visitors computer when visiting a website that contain data specific to the user visiting. For example, web browser type, operating system and personal details such as names.

Who needs to comply with the new EU mandate?

The new mandate is applicable to owners of any website operating within the EU and outside if your target customer/audience is in the EU.

How do you comply?

Well it’s not entirely clear I’m afraid with many people even doubting whether the ICO themselves have a truly clear understanding of what is expected.

The only truly clear part of the mandate is that users of the site need to be informed if cookies are being used on the site. Our understanding is that there’s no clear directive on how that should be done and whether users need to opt in (consent) to the use of cookies or whether after informing users of cookies being used consent can be implied from use of the site.

The BBC for example seems to have chosen to assume consent. Initially it points users to a page informing users of the cookies they use and allows users to disable the various cookie types. By default the cookies are enabled and simply moving off that page saves those settings. With many developers and digital companies using the BBC site as a benchmark we’ll probably see assumed consent become the norm.

*UPDATE – 28/05/2012*

In a last minute change to the guidelines the ICO made a crucial change to the wording which suggests that implied/assumed content is allowed.

“Implied consent has always been a reasonable proposition in the context of data protection law and privacy regulation and it remains so in the context of storage of information or access to information using cookies and similar devices.”

What if you don’t comply?
It’s not entirely clear what sort of punishment can be expected for sites found not to be complying and to what degree website owners need to comply by the 27th

“We don’t expect all organisations not compliant on the 27th to have some evidence of taking action to be compliant.” – David Evans, ICO

This article on The Register suggests the ICO will use a light touch initially with as few as 50 of the UKs largest websites found not complying receiving a letter telling them they’re being naughty and then waiting for complaints from the public before acting further.

What does seem clear however is that ignorance won’t be a valid excuse and that being able to show that at least some action has been undertaken to understand and comply is expected.

Here’s some links to further information to help you decide on how you’d like to interpret the mandate;

Well it’s entirely up to you and your own legal department to decide the best course of action for your website but here’s a checklist to help you on your way.

Ensure your legal department is informed and seek their advice on solutions

Complete a cookie audit on your site to help make a judgement on what is acceptable – The very helpful Chrome plugin from Attacat will help with that

Decide on how you’re going to inform users about the cookies you’ll continue to use

Decide if user opt in (consent) is required or will be assumed

Make the necessary changes to your site

What has PushON chosen to do?

We’ve chosen to implement a small javascript plugin called “cookie Control” which requests users consent to use cookies (but assumes consent for users that choose to ignore it) and links to our privacy policy which outlines further details of what we use cookies for.

If you’re a customer of PushON with a valid security and maintenance package we’ll happily implement that for you gratis.

If you’re a customer of PushON without a valid security and maintenance package we can still implement the plugin but we’ll need to charge an appropriate fee. The implementation fee should only be a small nominal admin fee to cover time spent but each site will need to be reviewed first before we can agree a definite cost.